This detection rule monitors file creation and modification events on Windows systems, specifically targeting actions initiated through the Windows Subsystem for Linux (WSL). Adversaries may exploit WSL to perform stealthy file operations to evade traditional security mechanisms. The rule employs an EQL (Event Query Language) query to track processes and associated file operations, focusing on instances where 'dllhost.exe' is initiating file changes not found in typical user paths, except for the Downloads folder. The detection utilizes several Windows log sources, including Winlogbeat and Sysmon, to gather relevant event data. With a risk score of 47, it categorizes the severity as medium and aligns with the 'Defense Evasion' tactic of the MITRE ATT&CK framework, specifically the 'Indirect Command Execution' technique. The accompanying investigation notes offer steps for alert validation, including reviewing process details, examining involved file paths, and correlating alert data with user activity logs to discern legitimate actions from malicious activities. To mitigate false positives, the rule allows for whitelisting known legitimate applications that use WSL, eliminating unnecessary alerts that may arise from routine operations.